CVE-2021-28092 – The is-svg package for Node.js contains a vulne... (How to Fix)

Q: What is the severity of CVE-2021-28092?

CVE-2021-28092 has a CVSS score of 7.5 (HIGH). The is-svg package for Node.js contains a vulnerable regular expression that allows attackers to cause Denial of Service (DoS) by providing specially crafted malicious strings. When processing these strings, the application gets stuck in regex evaluation, consuming excessive CPU resources for extended periods. This affects any Node.js application using is-svg versions 2.1.0 through 4.2.1 to validate SVG content.

📋 TL;DR

The is-svg package for Node.js contains a vulnerable regular expression that allows attackers to cause Denial of Service (DoS) by providing specially crafted malicious strings. When processing these strings, the application gets stuck in regex evaluation, consuming excessive CPU resources for extended periods. This affects any Node.js application using is-svg versions 2.1.0 through 4.2.1 to validate SVG content.

💻 Affected Systems

Products:

is-svg npm package

Versions: 2.1.0 through 4.2.1

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any Node.js application that uses is-svg to validate SVG content is vulnerable when processing untrusted input.

📦 What is this software?

Is Svg by Is Svg Project

View all CVEs affecting Is Svg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to CPU exhaustion, potentially affecting all users and causing service disruption until manual intervention restarts the process.

🟠

Likely Case

Degraded performance and intermittent service disruptions affecting users who trigger the vulnerable code path, with potential cascading effects on dependent services.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring that detects and blocks excessive resource consumption before service disruption occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only sending a malicious string to the vulnerable regex parser, making this easy to weaponize in automated attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.2 and later

Vendor Advisory: https://github.com/sindresorhus/is-svg/releases/tag/v4.2.2

Restart Required: Yes

Instructions:

1. Update package.json to specify is-svg version 4.2.2 or later. 2. Run 'npm update is-svg' or 'yarn upgrade is-svg'. 3. Restart your Node.js application to load the patched version.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject or sanitize SVG content before passing to is-svg, particularly for user-supplied content.

Rate limiting and timeout enforcement

all

Implement request rate limiting and enforce timeouts on SVG validation operations to prevent resource exhaustion.

🧯 If You Can't Patch

Implement strict input validation to reject suspicious SVG patterns before they reach the vulnerable regex
Deploy monitoring and alerting for abnormal CPU usage patterns that could indicate exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list is-svg' to see installed version. If version is between 2.1.0 and 4.2.1 inclusive, you are vulnerable.

Check Version:

npm list is-svg | grep is-svg

Verify Fix Applied:

After updating, verify with 'npm list is-svg' that version is 4.2.2 or later, then test SVG validation functionality with known safe inputs.

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for SVG validation requests
High CPU usage spikes in Node.js processes
Application timeouts or crashes during SVG processing

Network Indicators:

Repeated requests with similar SVG-like payloads
Requests causing delayed or no responses from SVG validation endpoints

SIEM Query:

source="application_logs" AND (message="*is-svg*" OR message="*SVG*validation*") AND (duration>5000 OR cpu_usage>90)

📊 Metadata

CVE ID: CVE-2021-28092

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

Published: March 12, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/sindresorhus/is-svg/releases Release Notes,Third Party Advisory
https://github.com/sindresorhus/is-svg/releases/tag/v4.2.2 Release Notes,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210513-0008/ Third Party Advisory
https://www.npmjs.com/package/is-svg Product
https://github.com/sindresorhus/is-svg/releases Release Notes,Third Party Advisory
https://github.com/sindresorhus/is-svg/releases/tag/v4.2.2 Release Notes,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210513-0008/ Third Party Advisory
https://www.npmjs.com/package/is-svg Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28092, you might also want to check these: